diff --git a/operator/documentdb-helm-chart/templates/02_documentdb_sidecar_injector.yaml b/operator/documentdb-helm-chart/templates/02_documentdb_sidecar_injector.yaml index 1dafcded..569173e2 100644 --- a/operator/documentdb-helm-chart/templates/02_documentdb_sidecar_injector.yaml +++ b/operator/documentdb-helm-chart/templates/02_documentdb_sidecar_injector.yaml @@ -85,6 +85,20 @@ spec: ports: - containerPort: 9090 protocol: TCP + {{- if .Values.pluginProbes.enabled }} + readinessProbe: + tcpSocket: + port: 9090 + initialDelaySeconds: {{ .Values.pluginProbes.initialDelaySeconds }} + periodSeconds: {{ .Values.pluginProbes.periodSeconds }} + failureThreshold: {{ .Values.pluginProbes.failureThreshold }} + livenessProbe: + tcpSocket: + port: 9090 + initialDelaySeconds: {{ .Values.pluginProbes.initialDelaySeconds }} + periodSeconds: {{ .Values.pluginProbes.periodSeconds }} + failureThreshold: {{ .Values.pluginProbes.failureThreshold }} + {{- end }} {{- with .Values.sidecarInjector.resources }} resources: {{- toYaml . | nindent 10 }} diff --git a/operator/documentdb-helm-chart/templates/03_documentdb_wal_replica.yaml b/operator/documentdb-helm-chart/templates/03_documentdb_wal_replica.yaml index f1693345..7e49ca53 100644 --- a/operator/documentdb-helm-chart/templates/03_documentdb_wal_replica.yaml +++ b/operator/documentdb-helm-chart/templates/03_documentdb_wal_replica.yaml @@ -125,6 +125,20 @@ spec: ports: - containerPort: 9090 protocol: TCP + {{- if .Values.pluginProbes.enabled }} + readinessProbe: + tcpSocket: + port: 9090 + initialDelaySeconds: {{ .Values.pluginProbes.initialDelaySeconds }} + periodSeconds: {{ .Values.pluginProbes.periodSeconds }} + failureThreshold: {{ .Values.pluginProbes.failureThreshold }} + livenessProbe: + tcpSocket: + port: 9090 + initialDelaySeconds: {{ .Values.pluginProbes.initialDelaySeconds }} + periodSeconds: {{ .Values.pluginProbes.periodSeconds }} + failureThreshold: {{ .Values.pluginProbes.failureThreshold }} + {{- end }} args: - receivewal - --server-cert=/server/tls.crt diff --git a/operator/documentdb-helm-chart/templates/11_pdb.yaml b/operator/documentdb-helm-chart/templates/11_pdb.yaml new file mode 100644 index 00000000..3790b1e6 --- /dev/null +++ b/operator/documentdb-helm-chart/templates/11_pdb.yaml @@ -0,0 +1,21 @@ +{{- if .Values.podDisruptionBudget.enabled }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: documentdb-operator + namespace: {{ .Values.namespace | default .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "documentdb-chart.name" . }} + app.kubernetes.io/component: operator + app.kubernetes.io/managed-by: "Helm" +spec: + selector: + matchLabels: + app: {{ .Release.Name }} + {{- with .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ . }} + {{- end }} + {{- with .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ . }} + {{- end }} +{{- end }} diff --git a/operator/documentdb-helm-chart/tests/02_sidecar_injector_test.yaml b/operator/documentdb-helm-chart/tests/02_sidecar_injector_test.yaml index c8f4c711..2e874f72 100644 --- a/operator/documentdb-helm-chart/tests/02_sidecar_injector_test.yaml +++ b/operator/documentdb-helm-chart/tests/02_sidecar_injector_test.yaml @@ -155,3 +155,61 @@ tests: value: cnpg-system - isNotNull: path: spec.selfSigned + + # ------------------------------------------------------------------- + # Plugin probes + # ------------------------------------------------------------------- + - it: should render TCP readiness and liveness probes by default + documentIndex: 1 + asserts: + - equal: + path: spec.template.spec.containers[0].readinessProbe.tcpSocket.port + value: 9090 + - equal: + path: spec.template.spec.containers[0].readinessProbe.initialDelaySeconds + value: 5 + - equal: + path: spec.template.spec.containers[0].readinessProbe.periodSeconds + value: 10 + - equal: + path: spec.template.spec.containers[0].readinessProbe.failureThreshold + value: 3 + - equal: + path: spec.template.spec.containers[0].livenessProbe.tcpSocket.port + value: 9090 + - equal: + path: spec.template.spec.containers[0].livenessProbe.initialDelaySeconds + value: 5 + - equal: + path: spec.template.spec.containers[0].livenessProbe.periodSeconds + value: 10 + - equal: + path: spec.template.spec.containers[0].livenessProbe.failureThreshold + value: 3 + + - it: should omit probes when pluginProbes.enabled is false + set: + pluginProbes.enabled: false + documentIndex: 1 + asserts: + - notExists: + path: spec.template.spec.containers[0].readinessProbe + - notExists: + path: spec.template.spec.containers[0].livenessProbe + + - it: should use custom probe settings when overridden + set: + pluginProbes.initialDelaySeconds: 15 + pluginProbes.periodSeconds: 30 + pluginProbes.failureThreshold: 5 + documentIndex: 1 + asserts: + - equal: + path: spec.template.spec.containers[0].readinessProbe.initialDelaySeconds + value: 15 + - equal: + path: spec.template.spec.containers[0].readinessProbe.periodSeconds + value: 30 + - equal: + path: spec.template.spec.containers[0].livenessProbe.failureThreshold + value: 5 diff --git a/operator/documentdb-helm-chart/tests/03_wal_replica_test.yaml b/operator/documentdb-helm-chart/tests/03_wal_replica_test.yaml index a7369d23..bbe6d6e7 100644 --- a/operator/documentdb-helm-chart/tests/03_wal_replica_test.yaml +++ b/operator/documentdb-helm-chart/tests/03_wal_replica_test.yaml @@ -145,3 +145,56 @@ tests: - equal: path: metadata.namespace value: cnpg-system + + # ------------------------------------------------------------------- + # Plugin probes + # ------------------------------------------------------------------- + - it: should render TCP readiness and liveness probes by default + set: + walReplica: true + documentIndex: 3 + asserts: + - equal: + path: spec.template.spec.containers[0].readinessProbe.tcpSocket.port + value: 9090 + - equal: + path: spec.template.spec.containers[0].readinessProbe.initialDelaySeconds + value: 5 + - equal: + path: spec.template.spec.containers[0].readinessProbe.periodSeconds + value: 10 + - equal: + path: spec.template.spec.containers[0].readinessProbe.failureThreshold + value: 3 + - equal: + path: spec.template.spec.containers[0].livenessProbe.tcpSocket.port + value: 9090 + + - it: should omit probes when pluginProbes.enabled is false + set: + walReplica: true + pluginProbes.enabled: false + documentIndex: 3 + asserts: + - notExists: + path: spec.template.spec.containers[0].readinessProbe + - notExists: + path: spec.template.spec.containers[0].livenessProbe + + - it: should use custom probe settings when overridden + set: + walReplica: true + pluginProbes.initialDelaySeconds: 20 + pluginProbes.periodSeconds: 60 + pluginProbes.failureThreshold: 10 + documentIndex: 3 + asserts: + - equal: + path: spec.template.spec.containers[0].readinessProbe.initialDelaySeconds + value: 20 + - equal: + path: spec.template.spec.containers[0].livenessProbe.periodSeconds + value: 60 + - equal: + path: spec.template.spec.containers[0].livenessProbe.failureThreshold + value: 10 diff --git a/operator/documentdb-helm-chart/tests/11_pdb_test.yaml b/operator/documentdb-helm-chart/tests/11_pdb_test.yaml new file mode 100644 index 00000000..46eff464 --- /dev/null +++ b/operator/documentdb-helm-chart/tests/11_pdb_test.yaml @@ -0,0 +1,112 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json +suite: pod disruption budget +templates: + - 11_pdb.yaml + +capabilities: + apiVersions: + - cert-manager.io/v1/Certificate + +tests: + # ------------------------------------------------------------------- + # Feature gate (podDisruptionBudget.enabled) + # ------------------------------------------------------------------- + - it: should not render PDB when disabled (default) + asserts: + - hasDocuments: + count: 0 + + - it: should render PDB when enabled + set: + podDisruptionBudget.enabled: true + asserts: + - hasDocuments: + count: 1 + + # ------------------------------------------------------------------- + # Metadata + # ------------------------------------------------------------------- + - it: should create a PodDisruptionBudget with correct metadata + set: + podDisruptionBudget.enabled: true + asserts: + - isKind: + of: PodDisruptionBudget + - isAPIVersion: + of: policy/v1 + - equal: + path: metadata.name + value: documentdb-operator + - equal: + path: metadata.labels["app.kubernetes.io/component"] + value: operator + - equal: + path: metadata.labels["app.kubernetes.io/managed-by"] + value: Helm + + - it: should use release namespace when values.namespace is empty + set: + podDisruptionBudget.enabled: true + namespace: "" + release: + namespace: my-ns + asserts: + - equal: + path: metadata.namespace + value: my-ns + + - it: should use custom namespace when set + set: + podDisruptionBudget.enabled: true + namespace: custom-ns + asserts: + - equal: + path: metadata.namespace + value: custom-ns + + # ------------------------------------------------------------------- + # Selector + # ------------------------------------------------------------------- + - it: should select pods by release name + set: + podDisruptionBudget.enabled: true + release: + name: my-release + asserts: + - equal: + path: spec.selector.matchLabels.app + value: my-release + + # ------------------------------------------------------------------- + # minAvailable / maxUnavailable + # ------------------------------------------------------------------- + - it: should set minAvailable by default + set: + podDisruptionBudget.enabled: true + asserts: + - equal: + path: spec.minAvailable + value: 1 + - notExists: + path: spec.maxUnavailable + + - it: should use maxUnavailable when set (and minAvailable cleared) + set: + podDisruptionBudget.enabled: true + podDisruptionBudget.minAvailable: "" + podDisruptionBudget.maxUnavailable: 1 + asserts: + - equal: + path: spec.maxUnavailable + value: 1 + - notExists: + path: spec.minAvailable + + - it: should support percentage for minAvailable + set: + podDisruptionBudget.enabled: true + podDisruptionBudget.minAvailable: "50%" + asserts: + - equal: + path: spec.minAvailable + value: "50%" diff --git a/operator/documentdb-helm-chart/values.yaml b/operator/documentdb-helm-chart/values.yaml index 27128577..bc833abc 100644 --- a/operator/documentdb-helm-chart/values.yaml +++ b/operator/documentdb-helm-chart/values.yaml @@ -74,6 +74,26 @@ certManager: # unreliable. Disabling the check does NOT remove the dependency. preflightCheck: true +# PodDisruptionBudget for the operator. Disabled by default because the +# operator ships with replicaCount: 1 and a PDB on a single-replica deployment +# blocks node drains. Enable when running multi-replica with leader election. +# Set exactly one of minAvailable or maxUnavailable; if both are set, only +# minAvailable is honored. +podDisruptionBudget: + enabled: false + minAvailable: 1 + maxUnavailable: "" + +# Probes for the CNPG plugin sidecars (sidecar-injector, wal-replica). +# Both are gRPC servers on port 9090; TCP socket probes are used because +# the plugins do not expose an HTTP health endpoint. Set probe.enabled=false +# to omit the probe (e.g., if you supply your own via a patch). +pluginProbes: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + failureThreshold: 3 + # Per-component pod-level configuration: resources, security contexts, and scheduling. # Defaults are conservative and aim to be compatible with Pod Security Admission's # `restricted` profile. Override any field per component as needed.